fix: Prevent attr update when external pdp is down (#39978)

KevLehman · web-flow · commit 5000d66b72b0 · 2026-03-30T11:33:15.000-06:00
diff --git a/apps/meteor/tests/end-to-end/api/abac.ts b/apps/meteor/tests/end-to-end/api/abac.ts
@@ -2942,6 +2942,21 @@ const addAbacAttributesToUserDirectly = async (userId: string, abacAttributes: I
 
 			await deleteUser(newUser);
 		});
+
+		it('should deny room attribute changes when PDP is unavailable', async () => {
+			await mockServerReset();
+			await mockServerSet('GET', '/healthz', { status: 'NOT_SERVING' });
+
+			await request
+				.post(`/api/v1/abac/rooms/${room._id}/attributes/${attrKey}`)
+				.set(credentials)
+				.send({ values: ['beta'] })
+				.expect(400)
+				.expect((res) => {
+					expect(res.body).to.have.property('success', false);
+					expect(res.body).to.have.property('error', 'error-pdp-unavailable');
+				});
+		});
 	});
 
 	describe('Selective DENY: only non-permitted users are removed', () => {
diff --git a/ee/packages/abac/src/errors.ts b/ee/packages/abac/src/errors.ts
@@ -10,6 +10,7 @@ export enum AbacErrorCode {
 	AbacUnsupportedObjectType = 'error-abac-unsupported-object-type',
 	AbacUnsupportedOperation = 'error-abac-unsupported-operation',
 	OnlyCompliantCanBeAddedToRoom = 'error-only-compliant-users-can-be-added-to-abac-rooms',
+	PdpUnavailable = 'error-pdp-unavailable',
 }
 
 export class AbacError extends Error {
@@ -91,3 +92,9 @@ export class OnlyCompliantCanBeAddedToRoomError extends AbacError {
 		super(AbacErrorCode.OnlyCompliantCanBeAddedToRoom, details);
 	}
 }
+
+export class PdpUnavailableError extends AbacError {
+	constructor(details?: unknown) {
+		super(AbacErrorCode.PdpUnavailable, details);
+	}
+}
diff --git a/ee/packages/abac/src/index.ts b/ee/packages/abac/src/index.ts
@@ -24,6 +24,7 @@ import {
 	AbacInvalidAttributeValuesError,
 	AbacUnsupportedObjectTypeError,
 	AbacUnsupportedOperationError,
+	PdpUnavailableError,
 } from './errors';
 import {
 	getAbacRoom,
@@ -416,6 +417,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async setRoomAbacAttributes(rid: string, attributes: Record<string, string[]>, actor: AbacActor): Promise<void> {
+		await this.ensurePdpAvailable();
 		const room = await getAbacRoom(rid);
 
 		if (!Object.keys(attributes).length && room.abacAttributes?.length) {
@@ -438,6 +440,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async updateRoomAbacAttributeValues(rid: string, key: string, values: string[], actor: AbacActor): Promise<void> {
+		await this.ensurePdpAvailable();
 		const room = await getAbacRoom(rid);
 
 		const previous: IAbacAttributeDefinition[] = room.abacAttributes || [];
@@ -514,6 +517,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async addRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor): Promise<void> {
+		await this.ensurePdpAvailable();
 		await ensureAttributeDefinitionsExist([{ key, values }]);
 
 		const room = await getAbacRoom(rid);
@@ -536,6 +540,7 @@ export class AbacService extends ServiceClass implements IAbacService {
 	}
 
 	async replaceRoomAbacAttributeByKey(rid: string, key: string, values: string[], actor: AbacActor): Promise<void> {
+		await this.ensurePdpAvailable();
 		await ensureAttributeDefinitionsExist([{ key, values }]);
 
 		const room = await getAbacRoom(rid);
@@ -649,6 +654,12 @@ export class AbacService extends ServiceClass implements IAbacService {
 
 	private pdpType: 'local' | 'virtru' = 'local';
 
+	private async ensurePdpAvailable(): Promise<void> {
+		if (!(await this.pdp?.isAvailable())) {
+			throw new PdpUnavailableError();
+		}
+	}
+
 	private async removeUserFromRoom(room: AtLeast<IRoom, '_id'>, user: IUser, reason: AbacAuditReason): Promise<void> {
 		return Room.removeUserFromRoom(room._id, user, {
 			skipAppPreEvents: true,
diff --git a/ee/packages/abac/src/pdp/VirtruPDP.ts b/ee/packages/abac/src/pdp/VirtruPDP.ts
@@ -297,14 +297,6 @@ export class VirtruPDP implements IPolicyDecisionPoint {
 			return [];
 		}
 
-		if (!(await this.isAvailable())) {
-			pdpLogger.warn({
-				msg: 'Virtru PDP is unavailable, skipping room attributes evaluation — no users will be removed',
-				roomId: room._id,
-			});
-			return [];
-		}
-
 		const users = Users.findActiveByRoomIds([room._id], {
 			projection: { _id: 1, emails: 1, username: 1 },
 		});

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ export enum AbacErrorCode {`
`10`	`10`	`AbacUnsupportedObjectType = 'error-abac-unsupported-object-type',`
`11`	`11`	`AbacUnsupportedOperation = 'error-abac-unsupported-operation',`
`12`	`12`	`OnlyCompliantCanBeAddedToRoom = 'error-only-compliant-users-can-be-added-to-abac-rooms',`
	`13`	`+ PdpUnavailable = 'error-pdp-unavailable',`
`13`	`14`	`}`
`14`	`15`
`15`	`16`	`export class AbacError extends Error {`
`@@ -91,3 +92,9 @@ export class OnlyCompliantCanBeAddedToRoomError extends AbacError {`
`91`	`92`	`super(AbacErrorCode.OnlyCompliantCanBeAddedToRoom, details);`
`92`	`93`	`}`
`93`	`94`	`}`
	`95`	`+`
	`96`	`+export class PdpUnavailableError extends AbacError {`
	`97`	`+ constructor(details?: unknown) {`
	`98`	`+ super(AbacErrorCode.PdpUnavailable, details);`
	`99`	`+ }`
	`100`	`+}`